Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



CNIL: Useful reminders of some of four main principles of the GDPR

PrintMailRate-it

​​​​​​​​​​​​​​​published on 25 October 2024 | reading time approx. 10 minutes


Two recent decisions issued by the CNIL on September 26, 2024, against COSMOSPACE and TELEMAQUE – providers of remote psychic services by phone and via chat/SMS respectively, to clients across various EU member states - provide an opportunity to revisit three key principles under the GDPR as well as a specific French rule from the Postal and Electronic Communications Code (CPCE).

The principles are:
Data minimization
Proportionality of data retention periods in relation to the purpose of processing
Rules governing the collection of sensitive data
Consent for receiving electronic marketing communications

Inspections carried out by the CNIL in 2021 uncovered several breaches: COSMOSPACE was found to be systematically recording phone calls between psychics, clients and customer service representatives, while both companies were cited for excessive data retention, collecting sensitive data without prior clear information and explicit consent (such as health and sexual orientation information), and sending marketing messages to individuals who had not given consent.

Failure to comply with the obligation to MINIMIZE PERSONAL DATA collected and used by Cosmospace (Article 5(1)(c) of the GDPR)

COSMOSPACE first contented that while the phone recordings did indeed contain personal data, they were not subsequently "processed" as the company automatically and randomly deleted half of the recordings each night.

However, the CNIL reaffirmed - if it needed to be restated - that this deletion process had no bearing on the qualification of “data processing”, since the deletion occurred after the data had already been actually collected and processed.

COSMOSPACE further argued that such recordings were justified for several purposes:
  • to monitor service quality and for employee training purposes;
  • to demonstrate contract agreement and performance (in case of legal disputes over services rendered);
  • to comply with judicial requests (which the company frequently receives);
  • to safeguard human life (for instance, assessing when to contact emergency services).

However, the CNIL found, as it already had in previous rulings involving video surveillance - that these purposes did not justify the complete and systematic recording of all calls. The authority emphasized that such recordings should be limited to specific circumstances:
  • on the one hand, to a sample of conversations sufficient to monitor service quality and provide employee training;
  • on the other hand, to the limited portion of calls between operators and clients or prospects that clearly relates to the conclusion of the contract.

The CNIL further reminded COSMOSPACE regarding the last two purposes for processing that:
- while data controllers must comply with judicial requests for data processed for their own purposes, they are not required to preemptively collect personal data in anticipation of a potential judicial request; and
- in cases involving distress calls, employees could manually initiate recordings when necessary.

This breach serves as an important reminder for businesses to adhere to data minimization principles by implementing specific practices: regularly assess and update data retention policies to ensure they align with the purpose of processing, limit the collection of personal data to what is strictly necessary for operational needs, establish protocols for securely archiving and deleting data that is no longer required, and train employees on best practices for handling sensitive information to mitigate risks associated with illegitimate data processing and excessive data retention.

Failure to define a proportionate data retention period (Article 5(1)(e) of the GDPR)​​

COSMOSPACE retained its clients' data for a duration of six years from the last service carried out on their behalf to facilitate the sending of marketing communications.

The CNIL, however, emphasized that for such purposes, it recommends a maximum retention period of three years in its guidelines concerning data processing for the management of commercial activities. The CNIL concluded that COSMOSPACE, which was aware of these guidelines, failed to demonstrate a legitimate necessity for retaining data for twice the recommended duration. It also underscored the potential inconvenience caused to clients by the frequency of these marketing messages - averaging one per day - over such an extended timeframe.

As for TELEMAQUE, client data were kept in its active database for six years without restricting access to the data or filtering it.

The CNIL reminded TELEMAQUE that while certain client data may be retained after the end of a commercial relationship - for instance, for litigation or pre-litigation purposes - it is the company’s responsibility to sort the data, retaining only that which is necessary for these purposes, and to restrict access to such data through intermediate archiving.

Although effective data retention may seem straightforward, this ruling underscores its complexities. Companies must implement clear retention policies that align with specific processing purposes. Understanding the distinctions between data categories is essential: (i) active data refers to information currently (and legitimately) in use; (ii) data subject to intermediate archiving are no longer actively used but retained for potential future (and legitimate) needs; and (iii) data subject to final archiving are kept for legal or regulatory obligations only. Organizations should also conduct regular audits to identify and delete unnecessary data, document retention decisions and train employees on data policies. Additionally, regularly consulting CNIL resources, especially sector-specific guidelines (such as those for human resources, marketing, or health data), can provide valuable insights.

Ultimately, many small and medium-sized enterprises struggle with compliance due to inadequate organization, and legal professionals frequently observe that these businesses often lack the necessary structures to meet these requirements. Hence the importance of being able to call on the assistance of specialists or competent external DPOs, in the absence of an in-house organization.

Failure to obtain prior consent for the collection of sensitive data (Article 9 of the GDPR)​

During consultations via phone, chat, or SMS with COSMOSPACE and TELEMAQUE, clients may disclose data related to their sexual orientation or sexual life, religious beliefs, or health status. Additionally, they could fill out a form online intended to provide a prediction regarding their romantic compatibility with a chosen individual.

Yet, no specific information was provided to these persons regarding the collection and processing of data obtained from the form or their communications, nor was explicit consent obtained from them.

Both companies asserted that they did not engage in the processing of sensitive data, and in particular did not voluntary collect any such data. They claimed that the psychics did not inquire about these types of data and stated that they had implemented procedures to ensure that any information that clients might spontaneously disclose was not recorded in any digital or physical files. Furthermore, they emphasized that their general terms prohibited the disclosure of sensitive information and that clients who provided such data would be in violation of these terms. Finally, they asserted that they did not utilize this data and did not offer any services based on it.

The CNIL reminded the companies that:
  • Even if the data in question are not sensitive by nature, they must be treated as such if they can, e.g. by cross-checking, reveal a person’s sexual orientation. For example, the collection of the user’s and their partner’s gender in a romantic compatibility context allows inferences about sexual orientation, making the data sensitive;
  • When the service requested by the user necessarily involves the processing of sensitive data, which is the case here, the user must be made fully aware that such data will be processed and possibly retained by the data controller. This requires explicit information during the consent process;
  • The mere desire to receive psychic services and the voluntary disclosure of sensitive information do not constitute explicit consent for data processing;
  • The data controller must provide a means to ensure that users give explicit consent through a clear affirmative action before processing special categories of data (for example, a specific tick box for sensitive data, separate from the boxes for accepting the GTCs or the processing of personal data in general).

The CNIL therefore concluded that the companies should have obtained prior explicit consent from clients for processing their sensitive data and should have also provided specific information regarding the collection of such data. 

This underscores the need for a specific legal basis for processing sensitive data, which differs from general personal data. While general data can be processed with consent, contractual necessity, or legitimate interests, among other legal bases, sensitive data processing requires stricter conditions. Explicit prior information and explicit consent are essential, ensuring individuals are fully informed and agree to the processing. Other limited bases for processing sensitive data include when the individual publicly discloses the information, when necessary for life protection, when justified by public interest and authorized by the CNIL, or when related to members of certain organizations. It is up to the company to identify the specific legal basis (consent or other) for processing such risky data.

Failure to obtain consent for electronic commercial prospecting (Article L.34-5 of the CPCE)


To carry out their marketing campaigns via email and SMS, COSMOSPACE and TELEMAQUE used a shared database containing all of their clients' and prospects' data, collected through forms on both companies’ websites.

The CNIL reaffirmed here two essential principles in French law concerning electronic marketing:
  • As a reminder, under French law (unlike other countries), consent for marketing communications is not required from actual clients (individuals or companies) of a company (subject to their posterior right to oppose), as such operations supposed to be carried out in the legitimate interests of the company;
  • Consent for data collected indirectly : When a prospect's data has not been collected directly from them by the organization conducting the marketing, it is the responsibility of this organization to check with the primary collector whether the individual actually consented to the transfer of its data to third companies for further marketing operations, at the time of the initial data collection. If not, it is again the responsibility of the organization to obtain such new consent before engaging in any marketing activities;
  • Informed consent requirements: For consent to be considered informed, individuals must be clearly informed about the identity of the organization on whose behalf the consent is being collected, as well as the purposes for which their data will be used by this organization (e.g. marketing). To facilitate this, an exhaustive and up-to-date list of ‘partners’ should be made available to the individual at the time of consent collection (visible list or access via hyperlink), along with the privacy policies of the relevant service providers and suppliers. Consent for this sharing of data to third parties for marketing purposes can be obtained via a specific tick box.

The CNIL also emphasized that the existence of a joint liability agreement - although necessary and often overlooked by many companies ! - does not absolve the need to obtain the consent of individuals for the use of their data for electronic marketing purposes, particularly when that data has not been collected directly by the marketing organization.

In the cases in question, the CNIL specifically noted that the forms at stake were poorly designed, failing to clearly inform individuals about the interchangeable use of their data by both companies:
  • the forms included a checkbox allowing TELEMAQUE to conduct marketing for itself and its unidentified partners; 
  • although a "Learn More" link provided some details about these partners, the information was not easily accessible; 
  • the terminology used did not mention commercial prospecting, leaving users unaware that they could be contacted by the partner company.

Therefore, COSMOSPACE and TELEMAQUE could not oppose their “consent” to the individuals.

What to take away is that form design should clearly separate consent for the collecting company’s marketing from that of its partners. The checkbox must specify which company is involved, and the language should clarify the nature of commercial prospecting. Additionally, if a link is included, it should lead to an up-to-date and easily understandable list of partners.

The fines imposed by the CNIL (Euro 250,000 on COSMOSPACE and Euro 150,000 on TELEMAQUE) serve as a reminder of the costs associated with non-compliance. Collaborating with around fifteen other European data protection authorities, the CNIL determined these penalties based on the severity of the breaches, which impacted over 1.5 million individuals in a shared database, as well as the sensitivity of the data involved. The companies' financial situations and organizational structures were also taken into account to ensure that the fines were both dissuasive and proportionate.

These decisions emphasize that compliance involves not only having the right documentation but also not implementing effective internal organization and processes. Regularly reviewing and sorting data, ensuring proper archiving, and designing websites that meet legal standards are crucial steps under the responsibility of each company and managers, with the assistance of internal or external DPO or counsels.


 DATA PROTECTION BITES

author

Contact Person Picture

Frédéric Bourguet

Avocat

Associate Partner

+33 1 8621 9274

Invia richiesta

Contact Person Picture

Raphaëlle Donnet

Avocate

Associate

+33 1 7935 2542

Invia richiesta

 RÖDL & PARTNER FRANCE

​Discover more about our offices in France. Read more »
Deutschland Weltweit Search Menu