2,225,000 and 800,000 euros by the CNIL against Carrefour France and Carrefour Banque

Indeed, in two deliberations on November 18, 2020, the CNIL pronounced a double sanction against the companies Carrefour France and Carrefour Banque. The CNIL sanctioned these two companies to pay 2,250,000 euros and 800,000 euros respectively in fines for violating the obligations of the GDPR.

During the investigations by the CNIL between May and July 2019, the CNIL found various breaches by Carrefour France and Carrefour Banque of their obligations under the GDPR.

First of all, the CNIL found breaches of the obligation to inform persons under Article 13 of the GDPR. Indeed, the information provided to users on the websites of Carrefour France and Carrefour Banque was not easily accessible and understandable and was incomplete, in particular with regard to the retention periods of data.

In addition, the CNIL found breaches relating to cookies. Indeed, the Carrefour France and Carrefour Banque websites did not ask for users' consent when placing several advertising cookies on their terminals.

The CNIL also noted a failure to comply with the obligation to limit the retention periods of data envisaged in Article 5.1.e of the GDPR. The data of inactive Carrefour France customers as well as the data of users of the Carrefour France website were kept between five and ten years. However, the Restricted Committee of the CNIL considered that a retention of customer data beyond 4 years after their last purchase in the field of mass retailing was excessive.

In addition, the CNIL ruled on the existence of a breach of the obligation to facilitate the exercise of rights under Article 12 of the RGPD because of the systematic requirement of proof of identity for any request to exercise rights and the failure to process within the time limits required by the RGPD several requests to exercise rights.

The CNIL also noted a failure to respect the rights under articles 15, 17 and 21 of the GDPR and Article L34-5 of the French Post and Electronic Communications Code. The company Carrefour France has indeed failed to respond to several requests from persons wishing to access their personal data. It has also not proceeded to the deletion of data requested by several people and has not taken into account several requests from people who have objected to receiving advertising by SMS or email.

Finally, the CNIL found a breach of the obligation of fair collection of data protected by Article 5 of the GDPR.

 It is important to note that the companies Carrefour France and Carrefour Banque complied with GDPR during the CNIL's investigation procedure, but did not escape administrative sanctions from the CNIL. 

These consequent sanctions pronounced by the CNIL are a reminder of the CNIL's considerable repressive power. Indeed, in case of non-compliance with the obligations resulting from the GDPR, the president of the CNIL can refer the matter to the Restricted Committee of the CNIL, which after an adversarial proceeding, is in charge of pronouncing administrative sanctions. These administrative sanctions can be of different kinds. It may be an injunction to comply or an administrative fine not exceeding 10 million or 2% of total worldwide annual revenues for the previous fiscal year.

This sanction taken by the CNIL is in line with its repressive policy. The CNIL is becoming less and less reluctant to penalize companies in the event of failure to comply with the GDPR. We can thus observe that in recent years, the sanctions pronounced by the CNIL have multiplied. Moreover, the CNIL also no longer hesitates to work in cooperation with other European supervisory authorities to be more effective. The sanction pronounced by the CNIL in the amount of 250,000 euros against Spartoo last July was precisely the object of a cooperative work between the different European supervisory authorities.  

It should be noted that in addition to the significant amounts of administrative sanctions imposed by the CNIL, which can have an effect on the financial health of the company, the CNIL's decision to make these sanctions public is not without consequences on the brand image returned to consumers, who are today increasingly sensitive and informed about data protection issues.

These sanctions taken against Carrefour France and Carrefour Banque are therefore a perfect illustration of the need for companies not to overlook issues such as compliance with the GDPR, which can have serious financial consequences.