The French Data Protection Supervisory Authority has sanctioned Carrefour (the retail society and the bank of the group) for an amount of 3 million euros caused by GDPR breaches, particularly about information offered to people and the respect of their rights.
The CNIL (Commission Nationale de l’Informatique et des Libertés) after some claims, decided to carry out some controls between May and July 2019 at the two french societies, Carrefour France (retail sector) and Carrefour Banque (bank sector), by detecting serious deficiencies in personal data processing of clients and potential clients.
Privacy policy – The first breach was detected by the french DPA and could be seen online, and was about the information obligations to offer to the data subjects according to the Article 13 of the GDPR, because the users of the websites www.carrefour.fr and www.carrefour-banque.fr who desired to submit to the fidelity program failed to have personal data processing policies, and when they finally got them they could not have the access to the documents or they resulted unclear or difficult to understand. In the website www.carrefour.fr, were insufficient also the explanations about personal data transfer out of the European Union, and the same legal base of the processing.
Cookies – always controlling the websites of Carrefour officials have found out that when a user visited both the websites, many different cookies used for the advertising automatically pertained into the memory of the computer of the user without asking a previous consent and without need of click.
Data storage – another breach that has been verified by the CNIL, refers to period of storage of data declared by Carrefour France but not respected, because information of more than 28 million users remained inactive for many years (in some cases also 10 years) had been stored in the loyalty program, and the same happened for 750.000 users of the website www.carrefour.fr that despite being inactive from five to ten years, had never been deleted.
Rights of data subjects – Also in the exercise of rights according to the Article 12 of the GDPR, the data subjects were not facilitated, in fact the procedure was to ask them in a systematic way an ID for any requests that they wanted to present to Carrefour France, also when there were any doubts about the identity of people and without a justified reason.
And if Carrefour France was precise with the strict procedures that have introduced, The inspectors did not go unnoticed, however, that it was not as careful to comply with the deadlines for giving feedback to clients, who had to go to great lengths to be satisfied, even worse if the requests concerned the deletion of their personal data.
In fact, in several cases in which people were opposed to receiving advertising by text message or email, in particular due to occasional technical errors, the company had not proceeded to delete the data as requested by users who were already irritated by the annoying messages, and who understandably then turned to the privacy authority.
Correctness of processing – When a person then subscribed to the fidelity card that also acts as a credit card to make shopping payments, they were asked to tick a box indicating that they accepted that the Carrefour Bank would communicate their name and email address to “Carrefour Loyalty”, and even though Carrefour Banque had explicitly stated that no other data would be transmitted, Cnil nevertheless ascertained that, despite the promise not to share other information, other data was indeed transmitted, including the customer’s postal address, telephone number, and even the number of the customer’s children. In this respect, too, the authority therefore found a breach of the obligation to process the data correctly in accordance with Article 5 of the GDPR.
If, as the writer Curzio Malaparte stated, “necessity also moves the unsuspecting to operate”, it is true that under the grip of the supervisory authority the two companies of the Carrefour group rolled up their sleeves to try to save the salvage from the landslide they themselves had caused, and in the documents put on record by the CNIL it is pointed out several times that it has “noted significant efforts on their part that have enabled them to comply with all the violations identified”, although obviously all this has not exempted Carrefour France and Carrefour Banque from the penalty procedure with two heavy fines, respectively of 2. 250,000 euros and 800,000 euros, not to mention the reputational damage that will now inexorably have to be paid out by a leading group in the large-scale retail sector, which should focus everything on customer confidence.
SOURCE: FEDERPRIVACY