Having received several complaints between June 2018 and April 2019, the French supervisory authority (CNIL) implemented its power of control over the companies CARREFOUR FRANCE and CARREFOUR BANQUE in two noteworthy decisions on November 18, 2020.
The inspections revealed multiple breaches of EU Regulation 2016/679 (GDPR) as well as of the French Data Protection Act and the French Electronic Communications Postal Code, which led the authorities to impose a financial penalty of 2,250,000 euros on CARREFOUR FRANCE and 800,000 euros on CARREFOUR BANQUE.
The breaches reproached to CARREFOUR constitute important non-compliances with the RGPD and thus allowed the CNIL to recall the following major fundamental principles of personal data protection:
CARREFOUR is reproached for the disproportionate retention of data relating to its customers, having in particular adhered to loyalty programs but no longer active, and also for copying their identity documents when exercising their rights to data concerning them.
First of all, the CNIL reproaches CARREFOUR for not respecting the retention periods for data relating to its loyalty program members, processed for commercial prospecting purposes, which the company had set at four years from their last activity (last transaction or last connection).
It appeared that CARREFOUR kept the data of several million inactive members for periods ranging from five to ten years.
The CNIL reminds that, in order to determine an appropriate data retention period, the purpose of the processing as well as the specificities of the data controller's sector of activity must be examined.
This principle is all the more applicable to the mass distribution sector as customers are used to returning to the same stores on a regular basis to make their purchases.
The CNIL invites to refer to the former simplified standard no. 48 and considers in this case that the duration of data retention should not exceed three years from the last contact with the company given the specificities of the said processing and the sector of activity of the data controller.
As a reminder, in the SPARTOO decision of July 28, 2020 (CNIL v. SPARTOO SAS, July 28, 2020, SAN-2020-003), the CNIL considered that a retention period of two years for data processed for commercial prospecting purposes was proportionate to the purpose of the processing.
CARREFOUR is then accused of keeping copies of the identity cards requested from persons wishing to exercise their rights over the data concerning them (right of access, cancellation or opposition, etc.) for a period of one to six years, which constitutes an excessive period of data retention in view of the purpose of their processing.
For the CNIL, the copies of the identity cards had not been kept beyond the processing of the request to exercise the right, the conservation of the letter of favourable response being then sufficient to justify the follow-up given to the request.
CARREFOUR is accused of not respecting a certain number of the rights of the persons concerned with regard to their personal data.
The CNIL criticizes CARREFOUR for not providing users of the www.carrefour.fr and www.carrefour-banque.fr sites with easily accessible information in clear and simple terms, in application of article 12 of the GDPR, which requires the data controller to communicate information that is "concise, transparent, comprehensible and easily accessible, in clear terms".
Indeed, the authority notes that the information relating to data processing is carried out at several levels on several separate pages, and in particular in the general conditions of use of the loyalty program.
This multi-level information is possible, provided that :
- The first level presents the essential characteristics of the treatment ;
- The second level details all the information relating to the treatment ;
- The complete information relating to all the treatments carried out on the site remains easily accessible to Internet users in a single document distinct from the TOS/GCLC.
The CNIL thus applies the G29 guidelines on transparency, and adopts rules that are already well established, but regularly ignored by website publishers.
The authority also reproaches CARREFOUR for the lack of clarity and precision of the information communicated to Internet users. The use of simple vocabulary and the avoidance of legal or technical terms is thus recommended.
Indeed, this information must enable the data subjects to determine in advance the scope and consequences of the processing of data concerning them in order to avoid being caught off guard by the data controller (see in particular Conseil d'État v. Google LLC, June 19, 2020, no. 430810), which is not the case here.
In this case, in addition to the fact that the information was insufficiently comprehensible, the information was incomplete in several respects, and in any event did not include all of the references required by Article 13 of the GDPR.
It is thus observed that the information presented on the site should have specified in an intelligible and transparent manner :
- The identity of the data controller ;
- The sufficiently precise legal basis of the processing operations ;
- The third countries to which the data is transferred and the guarantees surrounding the transfer ;
- The retention period of all categories of data processed.
Finally, the CNIL notes that Internet users browsing the website www.carrefour.fr were also not informed of the installation of non-functional cookies on their browser (in particular Google Analytics), and could not give their consent to these cookies.
The CNIL challenges CARREFOUR's practice of systematically requesting a copy of an identity document from persons wishing to exercise their rights to data concerning them.
Such a practice hinders the exercise of the right of the persons concerned, in particular by indirectly dissuading them from filing such a request.
The authority recalls that the requirement to provide a copy of a proof of identity should be strictly limited to situations where the company has "reasonable doubts as to the identity of the natural person making the request".
Thus, unless there is a special reason, the data controller may not require the data subject to provide proof of identity (see in particular VG Berlin 131 August 2020, 1 K 90.19).
Finally, the CNIL criticizes CARREFOUR for chronic delays in the processing of requests to exercise rights.
While the GDPRsets a maximum time limit for responding to a request to exercise a right to data at one month, it is noted that CARREFOUR extends this response time to nine months, thus generating consequences for the data subjects who have to contact the data controller several times.
In any event, if the controller decides not to proceed with the request or if an extension extending the processing of the request to three months is necessary, the data subject should have been informed without delay (see in particular ANSPDCP v. Viva Credit, July 30, 2020).
In the event of a complaint relating specifically to a potential failure by CARREFOUR to process a request for the right of access to data on the grounds that the data subject is not informed of the origin of the data processed by the data controller, the CNIL indicates that in the event of a merger/acquisition of a company, the data initially processed by the absorbed company must be considered as indirectly collected by the absorbing company.
Under these conditions, the authority reproaches CARREFOUR for not having informed the complainant of the origin of the data processed concerning him.
This therefore implies particular attention to the organization of the databases of the absorbed companies, which must be able to distinguish the origin of the data.
Finally, the CNIL noted multiple breaches of the right to erase data of data subjects whose data were not completely deleted from the data controller's databases.
While there are no exceptions to the right to oppose the processing of data for commercial prospecting purposes, the CNIL notes that CARREFOUR has been unable to comply with several requests.
The authority recalls that the data controller must provide a means for data subjects to exercise their right to object to the processing of data for prospecting purposes, and that this right must be systematically taken into account.
Concerning more specifically canvassing by electronic means, the CNIL notes that canvassing emails did not allow recipients to directly oppose the processing of data concerning them for such a purpose, but sent them back to the login page of their customer account.
Pursuant to Article L34-5 of the French Post and Electronic Communications Code, the authority stated that CARREFOUR was under the obligation to systematically offer the recipients of its prospecting e-mails a simple and effective means of unsubscribing from the mailing list, in particular by setting up a unique unsubscription link.
The CNIL notes during its remote controls the public accessibility of personal data on the www.carrefour.fr website, and in particular customer invoices, without authentication or connection to the customer account.
The absence of appropriate technical and organizational measures to ensure a level of data security appropriate to the risk, and in particular in this case to unauthorized access to the said data, constitutes a clear violation of Article 32 of the GDPR which imposes a general obligation of data security on the data controller (see in particular ICO v. Mariott International, 30 September 2020, COM0804337).
The authority also complains to CARREFOUR that it has not put in place the corrective measures necessary to protect the data processed on its website, after having been notified of this security flaw.
The authority considers in this case that the implementation of mandatory prior authentication is the only measure that completely prevents the risk of unauthorized access to the data.
It is specified that pursuant to Article 33 of the GDPR, any violation of personal data, if it creates a risk for the rights and freedoms of the data subjects, must be notified as a matter of principle to the supervisory authority (see in particular, UODO v. USp.zo. , 12 November 2020, DKN.5101.25.2020).
However, the CNIL notes the decision taken by CARREFOUR not to notify a data breach affecting 275 of its customers whose risk analysis clearly shows that the breach does not lead to application of the exception to the obligation to notify in view of the malicious origin of the breach.
A textbook case applying rules that are already firmly established in the Member States, the CNIL's decision reminds data stakeholders that compliance with the most fundamental principles of personal data law, and in particular the GDPR, is not an option.
Failing this, full cooperation with the supervisory authority will not allow the controller to escape its sanction, but only to hypothetically reduce its amount and limit its reputational impact.
As a reminder, since the company's turnover retained by the CNIL is 14.9 billion euros, the sanction pronounced in view of the breaches noted could have been otherwise substantial and reached 3 billion euros.