To print this article, simply register or connect to Mondaq.com.
Libertés (The Data Protection Authority, hereinafter the “CNIL”) carried out checks between May and July 2019 at Carrefour France (mass distribution) and Carrefour Banque (banking sector)1.During these checks, the CNIL noted a certain number of breaches in the processing of customer and potential user data and consequently imposed a fine of 2,250,000 euros on Carrefour France and 800,000 euros on Carrefour Banque.2 The violations mainly concerned information provided to individuals and respect for the rights of such individuals.
Failure to comply with the obligation to provide information to individuals (article 13 of the GDPR)
The information provided to users of the carrefour.fr and carrefour-banque.fr sites, as well as to people wishing to join the loyalty program or the Pass card, was not easily accessible (access to information was too complicated, in very long documents containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated terms).
In addition, it was incomplete with regard to the data retention period.
Regarding the carrefour.fr site, there was also insufficient information regarding data transfers outside the European Union and the legal basis for data processing (files).
The CNIL noted that when a user connects to the carrefour.fr or carrefour-banque.fr site, several cookies were automatically stored on his terminal, before any action on his part. As many of these cookies were used for advertising purposes, the user’s consent should have been collected before these cookies were stored.
Violation of the obligation to limit the retention period of data (article 5.1.e of the GDPR)
Carrefour France did not respect the data retention periods it had set. The data of more than twenty-eight million customers who have been inactive for five to ten years are kept as part of the loyalty program. The same was true for 750,000 users of the carrefour.fr site who had been inactive for five to ten years.
In addition, the CNIL considered that a retention period of 4 years for customer data after their last purchase was excessive. According to her, this duration, initially set by the company, exceeds what appears necessary in the large-scale distribution sector, given the consumption habits of customers who mainly make regular purchases.
Violation of the obligation to facilitate the exercise of the rights of the data subject (Article 12 of the GDPR)
Carrefour France required, unless there was any objection to commercial prospecting, an identity document for any request to exercise a right.
The CNIL considered that this systematic request for proof of identity was not justified because there was no doubt about the identity of the people exercising their rights.
In addition, the company had not been able to process several requests to exercise rights within the time limits required by the GDPR.
Failure to respect the rights of the data subject (articles 15, 17 and 21 of the GDPR and article L34-5 of the postal and electronic communications code)
First of all, Carrefour France had not responded to several requests from individuals wishing to access their personal data.
Second, in several cases, the company did not delete data that had been requested by several people to be deleted, when it should have.
Finally, the company did not take into account several requests from individuals who objected to receiving advertisements by SMS or e-mail, in particular due to occasional technical errors.
Breach of the obligation to process data fairly (Article 5 of the GDPR)
When an individual subscribing to the Pass card (credit card that can be attached to the loyalty account) also wished to join the loyalty program, he had to tick a box indicating that he agreed to Carrefour Banque communicating his name to “Carrefour loyalty”, first name and e-mail address. Carrefour Banque has explicitly indicated that no other data will be transmitted. However, the CNIL noted that other data had been transmitted, such as the postal address, the telephone number and the number of children, while the company had undertaken not to transmit any other data.
Basis used to calculate the fine imposed on Carrefour France
Carrefour France contested the basis for calculating the fine retained by the CNIL which, in its deliberation, included the notion of “commitment” in its analysis.
It should be remembered that article 83-5 of the GDPR provides that the amount of fines imposed for breaches noted may amount to ” in the case of a company, up to 4% of the total worldwide annual turnover of the previous financial year« .
In accordance with recital 150 of the GDPR, “ when administrative fines are imposed on a company, a company must be considered as a company in accordance with Articles 101 and 102 TFEU for these purposes. »
Finally, the guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 specify that “ in order to impose effective, proportionate and dissuasive fines, the supervisory authority uses for the definition of the concept of company as provided for by the CJEU for the purposes of the application of Articles 101 and 102 TFEU, namely that the concept of a company, we mean an economic unit, which can be constituted by the parent company and all the subsidiaries concerned. In accordance with European Union law and case law, an enterprise should be considered as the economic unit which carries out commercial / economic activities, regardless of the legal person involved (recital 150) « .
However, the CNIL noted that the legal organization of the Carrefour group, and in particular of Carrefour France and its subsidiaries, would render any fine imposed on Carrefour France’s turnover alone. de facto ineffective.3
It therefore decided, in order to assess the concept of “company” within the meaning of Articles 101 and 102 TFEU, to take into account the turnover achieved by Carrefour France and by the subsidiaries it owns and which have benefited from data processing.4 It therefore considered that the company’s turnover, in the sense of economic unit, serving as the basis for calculating the fine amounted to € 14.9 billion in 2019.
2 https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042563756 and https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042564657
3 In 2019, Carrefour France achieved sales of around 14 million euros and generated a net loss of 1.6 billion euros. These figures are comparable to those of 2018 (turnover of around 25 million euros and net loss of 1.4 billion euros). However, Carrefour France belongs to a group whose activity is of a completely different scale, with a turnover of around 80 billion euros (around 40 billion euros in France) for an adjusted net profit share. of the group of approximately 900 million euros in 2019.
4 Concretely, for the CNIL, the companies Carrefour Hypermarkets and Carrefour Proximité France benefit from the data pooling program. Carrefour France’s Marketing Department processes the shared data of the customers of these companies (last name, first name, physical and e-mail address, telephone number, purchase history) in order to send them personalized advertising for products sold in these stores. For the CNIL, these companies participate in the collection of personal data since membership of the loyalty program is possible directly in-store via paper forms.
To read in French, please click here.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought on your particular situation.