New CNIL fine against e-commerce company

October 14, 2020

The French data protection authority (the “CNIL”) has imposed a fine of EUR 250,000 on the company Spartoo, an online retailer operating in more than 10 countries within the EU.

Although this is the first sanction handed down by the French data protection authority as the lead authority, the particular interest of this decision lies in the main principles that it intends to recall (and specify):

- Data Minimization principle: collected personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

For the CNIL, Spartoo’s practice of recording all telephone calls made to the customer service is disproportionate for the purpose of employee evaluation and training, especially since:

• While customers had the possibility to opt out of the recording of their conversation, employees were not given the same option; and

• The employee in charge of the training generally listened to only one recording per week and per employee.

Moreover, it was not necessary to collect a copy of health insurance cards in Italy in addition to identity cards to combat fraud.

- Storage Limitation principle: personal data may only be stored for a duration which does not exceed what is necessary for the purposes for which it is processed.

Spartoo was sanctioned for having retained personal data of former customers over several years: nearly 3 million customers’ personal data were being stored despite the fact that they had not logged on to their account since 2013.

Besides, the CNIL ruled that the retention of prospect personal data for 5 years – starting from the last contact – was excessive since:

• The company did not send any electronic communication after a period of 2 years of inactivity by the prospect; and

• The simple opening of an email could not justify the person's interest in the products and thus serve as a starting point for the 5-year retention period.

- Transparency principle: obligation to inform data subjects.

The CNIL considered that the information provided to data subjects was insufficient since:

• Clients failed to be informed of the transfer of their personal data to Madagascar when calling customer service and consent was cited as the general legal basis for all processing activities, whereas in fact, other legal bases, such as the performance of the contract were relied upon.

• In the context of implementing the listening devices, employees were not informed, of the purpose of the processing, of the legal basis for the implementation, of the recipients of the data, of the duration of data retention and of their rights.

- Security of processing obligation: the data controller shall implement appropriate technical and organizational measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

A company tolerating weak passwords and storing scans showing all numbers of a credit card fails to meet this obligation.

With this decision, the CNIL invites companies to ensure even greater compliance with the obligations of the GDPR derived from provisions existing prior to its entry into force, otherwise risking a stricter interpretation of these violations.

In practice, data controllers will have to ensure that:

- Categories of collected data are proportionate to their stated purpose.

- Data retention periods (and their starting points) are clearly stated and justified. Concerning prospects, it is recommended to follow the recommendations of the CNIL of not retaining personal data for more than 3 years from the collection date or from the last contact with the prospect (which cannot be the result of simply opening an email).

- Consent shall not be used as a general legal basis for processing if the processing is likely to be based on another legal basis (e.g. performance of a contract).

- All data subjects are informed of the collection and processing of their data in accordance with the provisions of Articles 13 and 14 of the GDPR.

- Passwords should be set in accordance with the recommendations of the CNIL on the subject (Legifrance link).

- Credit card scans do not show all the credit card numbers.

Cliquez ici pour lire la version française.

Subscribe to Dechert Updates