Personal Data: Carrefour fined in excess of 3 million euros
Having received several complaints against the Carrefour group, the Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority, hereinafter the “CNIL”) carried out inspections between May and July 2019 at Carrefour France (mass retail sector) and Carrefour Banque (banking sector)[1].
During these inspections, the CNIL found a number of breaches in the processing of customer and potential user data and consequently imposed a 2,250,000 euros fine on Carrefour France and a 800,000 euros fine on Carrefour Banque.[2] The breaches mainly concerned the information provided to individuals and the respect for the rights of such individuals.
Breaches of the obligation to provide information to individuals (Article 13 of the GDPR)
The information provided to users of the carrefour.fr and carrefour-banque.fr websites, as well as to people wishing to join the loyalty program or the Pass card, was not easily accessible (the access to information was too complicated, in very lengthy documents containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated wording).
In addition, it was incomplete with respect to the data retention period.
Concerning the carrefour.fr website, the information was also insufficient with regard to data transfers outside the European Union and the legal basis for the data processing (files).
Breaches with respect to the use of cookies (Article 82 of the French Data Protection Act)
The CNIL found that when a user connected to the carrefour.fr or carrefour-banque.fr website, several cookies were automatically stored on his/her terminal, before any action on his/her part. As several of these cookies were used for advertising purposes, the consent of the user should have been collected before the storage of such cookies.
Breach of the obligation to limit the duration of data storage (Article 5.1.e of the GDPR)
Carrefour France did not comply with the data retention periods it had set. The data of more than twenty-eight million customers who had been inactive for five to ten years were being kept as part of the loyalty program. The same was true for 750,000 users of the carrefour.fr website who had been inactive for five to ten years.
In addition, the CNIL considered that a retention period of 4 years for customer data after their last purchase was excessive. According to it, this duration, initially set by the company, exceeds what appears necessary in the mass retail sector, given the consumption patterns of clients who mainly make regular purchases.
Breach of the obligation to facilitate the exercise of data subject rights (Article 12 of the DPR)
Carrefour France required, except for objections to commercial prospecting, proof of identity for any request to exercise a right.
The CNIL considered that this systematic request for proof of identity was not justified since there was no doubt as to the identity of the individuals exercising their rights.
In addition, the company had been unable to process several requests to exercise rights within the deadlines required by the GDPR.
Lack of respect for data subject rights (Articles 15, 17 and 21 of the GDPR and Article L34-5 of the French Postal and Electronic Communications Code)
First of all, Carrefour France had not responded to several requests from individuals wishing to access their personal data.
Secondly, in several cases, the company had not deleted the data, the deletion of which had been requested by several individuals, whereas it should have done so.
Finally, the company did not take into account several requests from individuals who objected to receiving advertising by SMS or e-mail, in particular due to occasional technical errors.
Breach of the obligation to process data fairly (Article 5 of the GDPR)
Whenever an individual subscribing to the Pass card (a credit card that can be attached to the loyalty account) also wished to join the loyalty program, he/she had to tick a box indicating that he/she accepted that Carrefour Banque communicate to “Carrefour fidélité” his/her last name, first name and e-mail address. Carrefour Banque explicitly indicated that no other data would be transmitted. However, the CNIL found that other data were transmitted, such as the postal address, the telephone number and the number of children, although the company had undertaken not to transmit any other data.
Basis used for the calculation of the fine imposed on Carrefour France
Carrefour France challenged the basis of calculation of the fine used by the CNIL which, in its deliberation, included the concept of “undertaking” in its analysis.
It should be recalled that Article 83-5 of the GDPR provides that the amount of the fines imposed for established breaches may amount “in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year”.
Pursuant to Recital 150 of the GDPR, “where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes.”
Lastly, the guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 specify that “in order to impose fines that are effective, proportionate and dissuasive, the supervisory authority shall use for the definition of the notion of an undertaking as provided for by the CJEU for the purposes of the application of Article 101 and 102 TFEU, namely that the concept of an undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries. In accordance with EU law and case-law, an undertaking must be understood to be the economic unit, which engages in commercial/economic activities, regardless of the legal person involved (Recital 150)”.
However, the CNIL found that the legal organization of the Carrefour Group, and in particular of Carrefour France and its subsidiaries, would render any fine imposed on the turnover of Carrefour France alone de facto ineffective. [3]
It has therefore decided, in order to assess the concept of “undertaking” within the meaning of Articles 101 and 102 TFEU, to take into account the turnover achieved by Carrefour France and by the subsidiaries it owns and which have benefited from the data processing.[4] It therefore held that the turnover of the undertaking, in the sense of economic unit, serving as the basis of calculation of the fine amounted to 14.9 billion euros in 2019.
[1] https://www.cnil.fr/fr/sanctions-2250000-euros-et-800000-euros-pour-carrefour-france-carrefour-banque
[2] https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042563756 et https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042564657
[3] In 2019, Carrefour France achieved a turnover of approximately 14 million euros and generated a net loss of 1.6 billion euros. These figures were comparable to those of 2018 (turnover of approximately 25 million euros and a net loss of 1.4 billion euros). However, Carrefour France belongs to a group, the business activity of which is of a totally different magnitude, with a turnover of approximately 80 billion euros (approximately 40 billion euros in France) for an adjusted net profit, group share, of approximately 900 million euros in 2019.
[4] Concretely, for the CNIL, the companies Carrefour Hypermarchés and Carrefour Proximité France benefit from the data pooling program. The Marketing Department of Carrefour France in fact processes the pooled data of the customers of these companies (last name, first name, physical and e-mail address, phone number, purchase history) in order to send them personalized advertising for the products sold in these stores. For the CNIL, these companies participate in the collection of personal data since membership in the loyalty program is possible directly in stores through paper forms.