Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
FRENCH SUPERVISORY AUTHORITY: Sanction of 1.75 million euros against AG2R LA MONDIALE

FRENCH SUPERVISORY AUTHORITY: Sanction of 1.75 million euros against AG2R LA MONDIALE

The Restricted Committee of the CNIL has sanctioned SGAM AG2R LA MONDIALE for having not complied with the GDPR requirements connected to conservation and information of people periods.

The CNIL has carried out a control in 2019 at the group of AG2R LA MONDIALE. This last one aims to verify the compliance of salaries applied in the framework of its mission of manage retirements of employees in the private sector as well as its insurance activities.

In this occasion, the CNIL has demonstrated that the company of Mutual Insurance Group AG2R LA MONDIALE (SGAM AG2R LA MONDIALE), charged to coordinate the insurance providence activity, addition, health, conservation and retirements of the group, stores personal data of million people for an excessive retention time and does not comply with information obligations in an ambit of door-to-door phone selling campaigns.

Based on these elements, the Restricted Committee – which is a body part of the CNIL charged to pronounce sanctions – has considered that the company has missed two fundamental obligation required by the GDPR. It has inflicted a sanction of 1.750.000 EUR and has decided to publish it decision.

the Restricted Committee has also taken complying measures adopted by the company on the limitation of the retention period and the information of people.

Lack of the respect of the obligation to limit the retention period of data (article 5, paragraph 1, letter e) of the GDPR)

The company has not implemented in its storage retention time system what has defined in its reference system. Consequently, it stores personal data of its clients for excessive retention period.

Talking about the data of reports, the company does not comply the maximum storage duration of three years established in its repository and in the register of processing of the group. Data of about 2.000 clients that had not contact with the company since more than three years, and sometimes five, have been stored.

Talking about data of clients, the company does not comply with maximum storage retention time required into the Code of Insurance and the Commercial Code. More specifically, the company was storing personal data of more than 2 million people, some of them were also sensitive (health) or specific (bank coordinates), in addition to legal retention period authorized after the end of the contract.

Measures were taken by the company following the control and then during the procedure to achieve compliance. Compliance is achieved with respect to lead data. With respect to client data, the company has made firm and documented commitments to the compliance process it has undertaken, the partial implementation of which has been demonstrated. It has also made a commitment as to when it will be fully compliant on this point.

A breach of the obligation to inform persons (Articles 13 and 14 of the GDPR)

The information provided to telephone canvassers by the company’s subcontractors did not include all of the elements required by the GDPR. Indeed, telephone calls made by subcontractors could be recorded without the person contacted being informed of the principle of registration or his right to object. In addition, no other information was provided to the persons canvassed concerning the processing of their personal data or their other rights. Finally, people were not given the opportunity to access more complete information, for example by activating a button on their phone or by sending an e-mail.

However, the company has put in place measures to make the necessary changes to bring it into compliance with the GDPR, after the audit and then during the procedure.


Recommended to you

Advanced Research