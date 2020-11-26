After Spartoo was fined € 250,000 last August, it’s up to Carrefour to be sanctioned by the CNIL. More precisely, Carrefour France and its subsidiary Carrefour Banque were sanctioned with € 2,250,000 and € 800,000 respectively. These fines punish violations of Article 13 of the GDPR.

The CNIL has checked Carrefour twice after complaints

After two investigations in May and July 2019, the CNIL found deficiencies in the processing of customer and potential user data. The President of the CNIL then initiated sanctions proceedings against two other actors concerned. Carrefour France was fined € 2,250,000 and Carrefour Banque was fined € 800,000. However, neither company received a payment order as the CNIL noted the company’s important efforts to comply.

The CNIL did not impose these fines in vain. Carrefour France and Carrefour Banque have violated the GDPR and in particular Article 13. In fact, the information made available to users of the carrefour.fr and carrefour-banque.fr websites, as well as future members of the passport or loyalty card, was not easily accessible. On the brand’s general website, the information provided to users was also considered insufficient with regard to the transfer of data outside the European Union. The CNIL states that Carrefour has already made its platforms compliant with regard to these elements.

Errors related to cookies and data processing detected

The CNIL recently tightened its cookies policy and did not spare Carrefour. In particular, the National Commission on Informatics and Freedoms noted that cookies were automatically placed on the terminal of the user who connects to the various websites of the group.

At the same time, the committee found that Carrefour France was keeping user data for too long in relation to the officially set retention period. The loyalty card data of more than 28 million inactive customers are thus stored for 5 to 10 years. 750,000 other people using the Carrefour website are concerned about data retention for a period of 5 to 10 years. Here, too, the French group made the necessary changes very quickly to bring them in line with the GDPR.

Finally, in relation to its banking services, Carrefour does not respect the processing of its users’ data either. The group asked a new PASS card customer to also subscribe to the customer card, as their data was automatically transmitted to the relevant service. Again, Carrefour took the rules into account and followed them along the way.

Overall, the complaints against the brand have enabled the group to have its practices analyzed by the CNIL and ultimately to comply with the GDPR. Finally, it should be recalled that, due to the very quickly observed efforts, the CNIL has not issued an injunction on fines.