Personal Data: Carrefour Fined In Excess Of 3 Million Euros

• Published date: 27 November 2020
• Subject Matter: Corporate/Commercial Law, Privacy, Corporate and Company Law, Data Protection
• Law Firm: Soulier Avocats
• Author: Ms Laure Marolleau

Having received several complaints against the Carrefour group, the Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority, hereinafter the "CNIL") carried out inspections between May and July 2019 at Carrefour France (mass retail sector) and Carrefour Banque (banking sector)¹.

During these inspections, the CNIL found a number of breaches in the processing of customer and potential users data and consequently imposed a 2,250,000 euros fine on Carrefour France and a 800,000 euros fine on Carrefour Banque.² The breaches mainly concerned the information provided to individuals and the respect for the rights of such individuals.

Breaches of the obligation to provide information to individuals (Article 13 of the GDPR)

The information provided to users of the carrefour.fr and carrefour-banque.fr websites, as well as to people wishing to join the loyalty program or the Pass card, was not easily accessible (the access to information was too complicated, in very lengthy documents containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated wording).

In addition, it was incomplete with respect to the data retention period.

Concerning the carrefour.fr website, the information was also insufficient with regard to data transfers outside the European Union and the legal basis for the data processing (files).

Breaches with respect to the use of cookies (Article 82 of the French Data Protection Act)

The CNIL found that when a user connected to the carrefour.fr or carrefour-banque.fr website, several cookies were automatically stored on his/her terminal, before any action on his/her part. As several of these cookies were used for advertising purposes, the consent of the user should have been collected before the storage of such cookies.

Breach of the obligation to limit the duration of data storage (Article 5.1.e of the GDPR)

Carrefour France did not comply with the data retention periods it had set. The data of more than twenty-eight million customers who had been inactive for five to ten years were being kept as part of the loyalty program. The same was true for 750,000 users of the carrefour.fr website who had been inactive for five to ten years.

In addition, the CNIL considered that a retention period of 4 years for customer data after their last purchase was excessive. According to it, this duration, initially set by the company, exceeds what...