Personal data

Having received several complaints against the Carrefour group, the French Data Protection Authority carried out inspections between May and July 2019 at Carrefour France (mass retail sector) and Carrefour Banque (banking sector).

During these inspections, it found a number of breaches in the processing of customer and potential user data, and consequently imposed a 2,250,000 euros fine on Carrefour France and a 800,000 euros fine on Carrefour Banque. The breaches mainly concerned the information provided to individuals and the respect for the rights of such individuals.

The Commission Nationale de l’Informatique et des Libertés (French Data Protection authority or “CNIL”) has just imposed a penalty of 250,000 euros on Spartoo, a company specializing in the online sale of shoes. The CNIL noted several breaches of the GDPR, the general regulation on data protection which came into force on May 25, 2018.

This is the first penalty imposed by the CNIL as “lead supervisory authority” in cooperation with other EU supervisory authorities as the consumers (and their personal data) of Spartoo which is based in Grenoble extend beyond French borders.

The EU-US Privacy Shield, which allowed the transfer of personal data from the European Union to the United States in accordance with the GDPR, was invalidated by the Court of Justice of the European Union on July 16, 2020.

A look back at this decision and its impact on data transfers to the United States.

In the context of the COVID-19 pandemic, and more specifically the so-called “lockdown-lifting” strategy, the French Government decided to implement an app called “StopCovid” available on smartphones, the aim of which is to alert its users that they have been in close proximity to people who have been tested positive for COVID-19 and who use the same app, as this proximity entails a risk of transmission of the SARS-CoV-2 virus.

This is one of the digital devices implemented by the Government as part of this overall “lockdown-lifting” strategy.

While France is entering the first phase of its end-of-lockdown plan, the Government’s strategy to combat a resumption of the epidemic is now based on monitoring “contact tracing”, i.e. the swift identification of any person who has been close to a patient in order to also test him/her and, if necessary, isolate him/her to avoid the spread the of the disease.

French authorities are planning an “information system” based on two medical databases: Sidep and Contact Covid. As the design of the StopCovid app. is still under way, its deployment was not included in the end-of-lockdown plan presented on April 28, 2020.

The Covid-19 pandemic has prompted many companies to implement teleworking solutions. The implementation of this type of working method requires that rules be duly followed to guarantee the security of information systems and processed data.

The French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés or “CNIL”) has published recommendations to help secure personal data in this context.