France: CNIL sanctions on Carrefour

Sanctions of 2,250,000 euros and 800,000 euros for the companies CARREFOUR FRANCE and CARREFOUR BANQUE

Announcement:
https://www.cnil.fr/fr/sanctions-2250000-euros-et-800000-euros-pour-carrefour-france-carrefour-banque

Délibération de la formation restreinte n° SAN-2020-008 du 18 novembre 2020 concernant la société CARREFOUR FRANCE
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042563756

Délibération de la formation restreinte n° SAN-2020-009 du 18 novembre 2020 concernant la société CARREFOUR BANQUE
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042564657

Pursuant to decisions n o 2019-081C of April 24, 2019 and n o 2019-102C of June 6, 2019 of the President of the Commission, five controls were carried out online or at the company’s premises:
– an online check, carried out on May 24, 2019, relating to the carrefour.fr site and the processing carried out from this site;
– an on-site check, carried out on May 28, 2019, relating to the processing carried out by the company CARREFOUR FRANCE, in particular as part of the Carrefour loyalty program (hereinafter the loyalty program), as well as the various databases that ‘she used for the management of her clientele;
– an on-site check, carried out on June 11 and 12, 2019, relating to the exercise of rights and to the responses provided to several complainants who have referred a complaint to the CNIL against the company;
– an on-site check, carried out on June 26 and 27, 2019, focusing more particularly on the management of personal data as part of the loyalty program;
– an on-site check, carried out on July 11, 2019, relating to the security measures developed by CARREFOUR FRANCE to protect the personal data it processes and the data breaches that have occurred.

On the second point, the restricted committee notes, first of all, that the company recognizes a delay in the implementation of its data erasure program but underlines the significant efforts made since the initiation of the procedure to bring itself into compliance. The restricted committee noted that the delegation of control noted the presence of data concerning customers who had been inactive for more than four years, and in particular more than twenty-eight million customers who were members of the loyalty program who had been inactive for five to ten years. With regard to users of the carrefour.fr site, the restricted training emphasizes that the data of more than 750,000 users whose act of purchase dated back five to ten years was kept, and nearly 20,000 users including the last purchase dated back over ten years.<(i>

Triggered by several complaints, the CNIL sanctioned two companies of the CARREFOUR group for breaches of the RGPD concerning in particular the information delivered to the people and the respect of their rights.

Having received several complaints against the CARREFOUR group, the CNIL carried out checks between May and July 2019 with the companies CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of customer and potential user data. The President of the CNIL therefore decided to initiate a sanctioning procedure against these companies.

At the end of this procedure, the restricted committee – the CNIL body responsible for pronouncing sanctions – effectively considered that the companies had failed to meet several obligations under the GDPR.

It thus sanctioned the CARREFOUR FRANCE company with a fine of 2,250,000 euros and the CARREFOUR BANQUE company with a fine of 800,000 euros. On the other hand, it did not issue an injunction when it noted that significant efforts had made it possible to bring all the breaches identified into compliance.

Breaches of the obligation to inform individuals (article 13 of the GDPR)
The information provided to users of the carrefour.fr and carrefour-banque.fr sites as well as to people wishing to join the loyalty program or the Pass card was not easily accessible (access to information too complicated, in very long containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations). In addition, it was incomplete with regard to the duration of data retention.

Concerning the carrefour.fr site, the information was also insufficient with regard to data transfers outside the European Union and the legal basis for processing (files).

On this point, the companies modified their information notices and websites during the procedure in order to comply.

Breaches relating to cookies (article 82 of the Data Protection Act)
The CNIL noted that, when a user connects to the carrefour.fr site or the carrefour-banque.fr site, several cookies were automatically placed on his terminal, before any action on his part. Several of these cookies are used for advertising, however the user’s consent should have been collected before filing.

The companies modified the way their websites function during the procedure. No advertising cookies are now deposited before the user has given their consent.

A breach of the obligation to limit the retention period of data (article 5.1.e of the GDPR)
The CARREFOUR FRANCE company did not respect the data retention periods that it had set. The data of more than twenty-eight million customers who had been inactive for five to ten years were thus kept as part of the loyalty program. The same was true for 750,000 users of the carrefour.fr site who had been inactive for five to ten years.

In addition, in this case, the restricted committee considers that a retention period of 4 years for customer data after their last purchase is excessive. Indeed, this duration, initially adopted by the company, exceeds what appears necessary in the field of mass distribution, taking into account the consumption habits of customers who mainly make regular purchases.

During the procedure, the company CARREFOUR FRANCE has committed significant resources to make the necessary changes to bring it into compliance with the GDPR. In particular, all data that is too old has been deleted.

A breach of the obligation to facilitate the exercise of rights (article 12 of the GDPR)
The CARREFOUR FRANCE company required, except for opposition to commercial prospecting, proof of identity for any request to exercise rights. This systematic request was not justified since there was no doubt about the identity of the persons exercising their rights. Furthermore, the company was not able to process several requests for the exercise of rights within the time limits required by the GDPR.

On these two points, the company changed its practices during the procedure. In particular, it has deployed significant human and organizational resources to respond to all requests received within a period of less than one month.

Failure to respect rights (articles 15, 17 and 21 of the RGPD and L34-5 of the Postal and Electronic Communications Code)
First of all, the CARREFOUR FRANCE company did not respond to several requests from people wishing to access their personal data. The company approached all the people concerned during the procedure.

Then, in several cases, the company did not proceed with the erasure of data requested by several people when it should have done so. On this point also, the company granted all the requests during the procedure.

Finally, the company did not take into account several requests from people who objected to receiving advertising by SMS or email, in particular due to occasional technical errors. The company became compliant during the procedure on this point as well.

A breach of the obligation to process data fairly (Article 5 of the GDPR)
When a person subscribing to the Pass card (credit card that can be attached to the loyalty account) also wished to join the loyalty program, he had to tick a box indicating that he accepted that CARREFOUR BANQUE would communicate his name to “Carrefour loyalty”, their first name and e-mail address. CARREFOUR BANQUE explicitly indicated that no other data was transmitted. The CNIL however noted that other data were transmitted, such as the postal address, the telephone number and the number of its children, although the company had undertaken not to transmit any other data.

On this point, the company changed its practices during the procedure. It has completely overhauled its online subscription process for the Pass card and people are now informed of all the data transmitted to CARREFOUR FRANCE.