Sanctions of 2,250,000 euros and 800,000 euros for the companies Carrefour France and Carrefour Banque
After receiving several complaints, the CNIL has sanctioned two companies of the CARREFOUR group for breaches of the RGPD concerning in particular the information provided to individuals and the respect of their rights.
After receiving several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings concerning the processing of data of customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.
At the end of this procedure, the Restricted Panel – the CNIL body in charge of pronouncing sanctions – effectively considered that the companies had failed to comply with several obligations provided for in the RGPD.
It thus sanctioned CARREFOUR FRANCE with a fine of 2,250,000 euros and CARREFOUR BANQUE with a fine of 800,000 euros. 800,000. On the other hand, it did not issue an injunction since it noted that significant efforts had been made to bring all the breaches noted into compliance.
Breaches of the obligation to inform individuals (Article 13 of the RGPD)
The information provided to users of the carrefour.fr and carrefour-banque.fr sites, as well as to people wishing to join the loyalty program or the Pass card, was not easily accessible (access to information that was too complicated, in very long documents containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated wording). In addition, it was incomplete with respect to the length of time the data were kept.
Concerning the carrefour.fr site, the information was also insufficient with regard to data transfers outside the European Union and the legal basis of the processing operations (files).
On this point, the companies have modified their information mentions and websites during the procedure to comply.
Shortcomings relating to cookies (Article 82 of the French Data Protection Act)
The CNIL noted that when a user connected to the carrefour.fr or carrefour-banque.fr site, several cookies were automatically deposited on his terminal, before any action on his part. Several of these cookies were used for advertising, the consent of the user should have been collected before the deposit.
The companies modified, during the procedure, the functioning of their websites. No more advertising cookies are now deposited before the user has given his consent.
Failure to comply with the obligation to limit the data retention period (article 5.1.e of the RGPD)
The company CARREFOUR FRANCE did not respect the data retention periods it had set. The data of more than twenty-eight million customers who had been inactive for five to ten years was being kept as part of the loyalty program. The same was true for 750,000 users of the carrefour.fr website who had been inactive for five to ten years.
Moreover, in this case, the restricted training considers that a retention period of 4 years for customer data after their last purchase is excessive. Indeed, this duration, initially retained by the company, exceeds what appears necessary in the field of mass distribution, given the consumption habits of customers who mainly make regular purchases.
During the procedure, CARREFOUR FRANCE committed significant resources to make the necessary changes to bring it into compliance with the GDR. In particular, all data that were too old have been deleted.
Failure to comply with the obligation to facilitate the exercise of rights (article 12 of the RGPD)
The company CARREFOUR FRANCE required, except for opposition to commercial prospecting, proof of identity for any request to exercise a right. This systematic request was not justified since there was no doubt about the identity of the persons exercising their rights. In addition, the company was unable to process several requests to exercise rights within the deadlines required by the RGPD.
On these two points, the company changed its practices during the procedure. In particular, it deployed significant human and organizational resources to respond to all requests received within less than one month.
A failure to respect rights (articles 15, 17 and 21 of the RGPD and L34-5 of the Postal and Electronic Communications Code)
First of all, the company CARREFOUR FRANCE has not responded to several requests from persons wishing to access their personal data. The company approached all the persons concerned during the procedure.
Secondly, in several cases, the company did not proceed with the deletion of data requested by several people when it should have done so. On this point, too, the company has complied with all requests during the procedure.
Finally, the company did not take into account several requests from people who objected to receiving advertising by SMS or e-mail, in particular due to specific technical errors. The company complied during the procedure on this point as well.
Failure to comply with the obligation to process data fairly (Article 5 of the RGPD)
When a person subscribing to the Pass card (a credit card that can be attached to the loyalty account) also wished to join the loyalty program, he or she had to tick a box indicating that he or she accepted that CARREFOUR BANQUE communicate to “Carrefour fidélité” his or her last name, first name and e-mail address. CARREFOUR BANQUE explicitly indicated that no other data would be transmitted. However, the CNIL noted that other data was transmitted, such as the postal address, the telephone number and the number of its children, although the company undertook not to transmit any other data.
On this point, the company changed its practices during the procedure. It has completely overhauled its online subscription process for the Pass card and individuals are now informed of all data transmitted to CARREFOUR FRANCE.